Cybersecurity Briefing

Cybersecurity BriefingCFO CouncilJune 2021

2 CFO Council (June 2021) | Cybersecurity Briefing

About today’s speakers

Justin Greis Michael Hinckley

• Partner, Ernst & Young LLP• Chicago, Illinois• Global and Americas Cybersecurity

Strategy, Risk, Compliance, and Resilience Leader

• Senior Manager, Ernst & Young LLP• Nashville, Tennessee• Technology Risk, Compliance, and

Assurance

[email protected]

michaelhinckley.com

linkedin.com/in/michael-hinckley-ba14239

@hinckleysong

[email protected]

justingreis.com

linkedin.com/in/justingreis

@JustinGreis


South Carolina Market Leaders

Jessica Donan Jennifer Walker

• Partner, Ernst & Young LLP• Greenville, South Carolina• Greenville Office Managing Partner,

Financial Accounting Advisory Partner and US-Central Region Mobility Sector Assurance Leader

• Senior Manager, Ernst & Young LLP• Charleston, South Carolina• Assurance and Consulting Services

[email protected]

https://www.linkedin.com/in/jennifer-walker-6929971a6/

[email protected]

linkedin.com/in/jessica-donan

Agenda

1 Today’s security landscape

Five common themes in cyber program assessments2

3 Cybersecurity Maturity Model Certification (CMMC) update

4 Questions and answers

Today’s security landscape

CFO Council (June 2021) | Cybersecurity Briefing


Cyber threats continue to evolve and increase cyber risk exposure

Unsophisticated attackers (script kiddies)

Sophisticated attackers (hackers)

Corporate espionage (malicious insiders)

State-sponsored attacks(APT)

Organized crime (criminal networks)

Attacker resources and sophistication

Ris

k

Scri

ptki

ddie

sH

acke

rsM

alic

ious

insi

ders

Crim

inal

netw

orks

APT

Any information of potential value to sell or use for extortion/ransom:• Cash/Bitcoin• Credit cards• Identities• Inside information• Intellectual property• Manipulation of

systems• Industrial espionage

and competitive advantage

• State-sponsored espionage

• Market/economic manipulation

• Competitive advantage

• Military/political objectives

• Cognitive warfare• Social and opinion

influence

• Revenge• Personal gain• Stock price

manipulation• Competitive advantage• Money

• Embarrassment• Political, social and

environmental causes• Amusement or experimentation

• Nuisance or notoriety


Cybersecurity incidents are on the rise and billions of records are lost each year

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

0

20

40

60

80

100

120

140

160

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

In M

illio

ns

Count of cybersecurity incidents Number of records lost (if disclosed) Data as of April 2021

“Age of extortion”“Age of exfiltration”

• Cyberattacks have become far more destructive

• An increasing number of companies are not able to recover critical data or systems

• “Double extortion” ransomware has significantly increased over the past two years

• Cyber insurance premiums rising (↑20%–50%), and some may no longer cover extortion payouts to criminals

Publicly reported cybersecurity breaches and total records lost


Shadow investigations have increased five-fold since 2020

Ransomware trends

• Ransom paid now routinely in millions• Significant gaps in resiliency, and a big disconnect

with business continuity and disaster recovery plans• Large majority of attacks focused on Windows AD• Insurance coverage a large factor in payment• Theft of [old] unstructured data increasing• Strong monitoring and expedited response key to

mitigating impact

Business email compromise trends

• Multifactor authentication and zero trust architecture not deployed in email environments

• Switch routing of payables, receivables or payroll• Suspicious geographic monitoring and email box rule

detection helps with response

41%

21%

6%

7%

13%

12%

Ransomware Business Email Compromise

Malware Data Exfiltration

Unauthorized access Other

Shadow investigations* by incident type

*Independent forensic investigation of a cyber incident or breach

OTH

UA

BEC

RW

MAL

DE

(RW)

(MAL)

(UA)

(BEC)

(DE)

(OTH)


19%, H&LS

14%, Tech

15%, CP&R

3%, B&CM

9%, H&C

10%, AM

11%, PF&S

4%,M&E

3%, G&PS

4%, Ins3%, Mob

5%, Other Health & Life Sciences

Technology

Consumer Products & Retail

Banking & Capital Markets

Hospitality & Construction

Advanced Manufacturing

Professional Firms & Services

Media & Entertainment

Government & Public Sector

Insurance

Mobility

Other

Threat actors are opportunistic and generally target companies likely to pay

• Three sectors comprise nearly 50% of the recent shadow investigations:• Health and life sciences• Technology• Consumer products and retail

• No sector is immune!• Don’t discount the perceived value

of the data in your organization.• You may not be the target, but

rather a means of getting to the real target.

• There is an increase in supply chain attacks.

• Preparation is key: those who trained and exercised their program were able to limit the damage.

Shadow investigations by industry

48%

Five common themes in cyber program assessments



A framework for evaluating cybersecurity programs

Data protection

Identity and access management

Security architecture and

engineering

Product security

Vulnerability identification &

remediation

Metrics and reporting

Cyber compliance

Privacy

Insider threat

Security infrastructure

Secure software development and

management

Cloud security Operational technology

Threat intelligence

Security monitoring

Incident response

Gov

erna

nce,

ris

k, a

nd c

ompl

ianc

e

Governance, risk, and compliance

Policy and standards

Security education and awareness

Governance, operating model and organization

Third-party and supply chain risk management

Cyber risk management

Bus

ines

s &

IT s

trat

egy

Res

ilien

ceIT

ass

et m

anag

emen

tPh

ysic

al s

ecur

ity

Org

aniz

atio

nal p

artn

ersh

ips

Identity and access

management

Security architecture

and engineering

Security operations

Data protection

and privacy


Milestone 2

Milestone 2

Companies are relatively good at assessing, identifying risk and building roadmaps …

1

2

3

4

5

Denial of service

Malicious users

Inadvertent disclosure

Extortion

High Medium Low

Hig

hM

ediu

mLo

w

Strength of existing controls

Inhe

rent

ris

k

Risk threshold

Inappropriate use

Social engineering

Phishing

Spam

Theft of equipment

Hacker (application)Malicious code

Hacker (network)

Complete

At RiskBehind Schedule

On Schedule

New Milestone

Deferred or Dropped

Notes: 1 Footnote text, 2 Footnote text, 3 Footnote text, 4 Footnote text, 5 Footnote text

Nov. 30 Dec. 31 Jan. 31 Feb. 28 Mar. 31 Apr. 30Capabilities

People

Process

Technology

Project 1

Project 2

Project 3

Project 4

Project 5

Project 6

Project 7

Project 8

Milestone 3

Milestone 1

Milestone 2

Milestone 1

Milestone 1

Milestone 1

Milestone 1

Milestone 1

Milestone 1 Milestone 2 Milestone 3

Process Capability 1

Tech Capability 1

People Capability 1

Milestone 2

Milestone 2

Milestone 3

Today

Projects

NIST Cybersecurity Framework (CSF)

Framework

Cyber framework and capabilities assessment

Risk and controlseffectiveness analysis

Strategy and initiativeor investment road map


… but they often overlook three critical elements for effective cyber-business integration

1

2

3

4

5

Alignment to business goals and objectives• Mapping of cyber strategy to business

and IT strategy• Establish risk profile to align to

business goals and anticipate needs• Apply appropriate levels of controls to

protect the things that matter most

Engagement and communication mechanisms with business stakeholders• Service catalog with

engagement mechanism and cost chargeback

• Communication and governance channels (bi-directional)

• Performance reporting mechanisms

Satisfaction with performance and delivery of security services• Feedback loops from the business and

key stakeholders• Escalation paths when adjustments

and attention is needed• Recognition for exceptional

performance and service

Cyber-business

integration2

1

3


Security architecture must “shift everywhere”

1

2

3

4

5

Shift left (West)• Secure SDLC and DevSecOps• Security and privacy by design• Certifications and continuous testing

assurance (as a testing producer)

Shift right (East)• Certifications and attestations• Proactive regulatory “mappings” and

transparent regulatory response

Shift up (North)• Reporting, communications,

visibility and accountability• Budgeting and resource allocation

Shift down (South)• Enhanced standards and testing (as a

testing consumer)• Zero trust architecture

Securityarchitecture

compass

N

S

W E

Vendors, third parties, andsupply chain ecosystem

Engineers, product managers

and customers

Regulators and public policy community

Management


Traditional third-party risk management programs do not protect against supply chain attacks

1

2

3

4

5

Company identifies a business need and decides to procure software or services from a third party



1

2

3

4

5

Vendors compete and eventually a service provider or solution is selected (and sometimes is a factor in the selection)



1

2

3

4

5

Vendor security questionnaire is submitted to the vendor by the company



1

2

3

4

5

Vendor completes questionnaire and submits required evidence, certifications, or documentation



1

2

3

4

5

Vendor passes or fails the evaluation; remediation or mitigation may be required



1

2

3

4

5

Vendor moves to contracting process



1

2

3

4

5

Vendor is engaged and work begins



1

2

3

4

5

Solution and/or software deployed in the company environment



Third-party security risk management basic hygiene checklist

1

2

3

4

5

1. Questionnaires and certifications do not equal code/solution testing

2. Ongoing testing (periodic & triggered) > point-in-time evaluations

3. If vendors do not test their code/solutions with each release, you must. If they do, make them prove it; and you should likely reperform the testing in your environment anyway…

4. Nth-parties (vendors of vendors) pose just as big a risk as the primary vendor

A complete vendor list

Procurement channels and shadow IT

Vendor tiering and evaluation criteria for each tier

Re-evaluation schedule and triggers

Evidence and documentation analysis

Vendor risk monitoring and governance

1 2

34

1

2

3

4


Greater visibility and enhanced monitoring does not necessarily mean better response (but it could)

2

3

4

1

5

• Depth (type/amount of data) and breadth (BU, geographies, products, etc.) of monitoring scope

• Business stakeholder integration and system ownership

• Operational technology (OT) environments

• “Black box” SOCs (security operations centers)

• Threat hunting and active defense finds problems before they become problems

• Alert qualification and investigation• SOC playbook and communication

protocols• Level 3 hand-offs, especially for MSSPs• Automation versus manual processes;

get ready for huge increase in volumeIncidents Blocks Alerts Info Insights

Security operations

center


Cyber reporting, metrics and dashboarding are missing some critical elements before it can elevate cyber maturity

2

3

4

1

5

Common missing pieces…• Infusion of business

context information• Persona and audience

definition• Reporting visibility and

risk governance• Interpretation in “plain

language”• Automation and

notifications• Accountability for KPIs

and KRIs within defined personas

• Historical trending and future predictive modeling

Metrics library

Data model

Data lake

B HE K NA C D F G I J L M …Source systems

Tool 1 Tool 5Tool 2 Tool 3 Tool 4Security tool stack

Analytics, metrics,and data model

Reporting and visualization

Missing pieces…

Cybersecurity Maturity Model Certification (CMMC) update



CMMC update

The Department of Defense (DoD) CMMC program was initiated in an effort to stop the erosion of US defense capabilities caused by the exfiltration of information from contractor networks.

CMMC is an attempt by the DoD to standardize, validate and enforce cybersecurity practices, which is a shift from the self-attestation model currently utilized under DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012.

CMMC will require any contractor bidding to work on a DoD contract to first undergo an assessment by an independent third-party organization to verify that certain cybersecurity standards are met.

It is likely that this requirement will impact more than 300,000 companies and that noncompliance with CMMC could threaten these organizations’ ability to qualify for DoD contracts going forward.

CMMC

Scope and applicability

• Non-federal entities (industry, academia, state, local and tribal governments)

• Controlled Unclassified Information (CUI) —information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls

Complying with regulatory requirements

• Projected timeline of the CMMC program rollout:

• DoD is planning to roll out CMMC over the next five years with the goal of having 300k+ contractors certified by 2025.

DoD candidate programs (15 December 2020)

• Army

• Navy

• Air Force

• Missile Defense Agency

Preparing for the future

• CMMC maturity levels:

• Level 5 — advance/progressive

• Level 4 — proactive

• Level 3 — good cyber hygiene

(SP 800-171)

• Level 2 — intermediate cyber hygiene

• Level 1 — basic cyber hygiene

CMMC compliance considerations

• Reciprocity with other US Government regulatory frameworks (i.e., FedRAMP)

• Control deficiency expectations

• Development of a System Security Plan (SSP)


Supporting our national security

The DOD CMMC program was initiated in an effort to stop the erosion US defense capabilities caused by the exfiltration from contractor networks.

• “Industrial security scored the lowest among the eight dimensions with a 63 for 2019. In fact, industrial security has gained prominence as massive data breaches and brazen acts of economic espionage by state and non-state actors plague defense contractor in recent years.”

• “The trend for cyber vulnerabilities indicates a tremendous change for the worse in global cybersecurity conditions.”

• “DoD’s demand for defense goods and services has trended sharplyupward since 2017.”

Vital Signs 2020: The Health and Readiness of the Defense Industrial Base, National Defense Industrial Association (NDIA)


Converting CMMC challenges into opportunities

Alignment on protecting the

enterprise

Organizational integration

Valuecreation



CMMC steering committee

• Chief executive officer

• Chief operating officer

• Chief growth officer

• Chief information officer

• Chief information security officer

• Chief risk officer

• Internal audit

• General counsel

• ProcurementAlignment on protecting

the enterprise


Valuecreation



People

• Develop workforce of the future

• Integrate internal and external stakeholders

Process

• Optimize enterprise-wide protection

• Integrate people and data

Technology

• Enable high value data protection

• Enable governance risk and compliance

Alignment on protecting the enterprise


Valuecreation



Risk reduction and operational efficiencies

• Unified and clear vision of stakeholder expectations

• Informed decision-makers across the organization

• Organization growth potential with existing or new potential clients

• Comprehensive understanding of services being provided to the US government

• Improvement in quality of risk information and data availability for decision-making

• Single point of truth for critical risk management matters

• Increased confidence with cyber maturity and investments

Alignment on protecting the enterprise


Valuecreation


EY CMMC and Cyber thought leadership

What should be top on mind to continue preparing for CMMC:

Click here

What to do when faced with ransomware:

Click here

https://www.ey.com/en_us/forensic-integrity-services/what-should-be-top-on-mind-to-continue-preparing-for-cmmc

https://www.ey.com/en_gl/consulting/ransomware-to-pay-or-not-to-pay

Questions and answers


THANK YOU

JustinGreis

Michael Hinckley

EY | Building a better working world

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more,of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

© 2021 EYGM Limited.All Rights Reserved.

2105-3779053ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, legal or other professional advice. Please refer to your advisors for specific advice.

ey.com

Documents

Cybersecurity Briefing